Plus: SystemD has a privilege escalation flaw that needs patching, and more bits and bytes

Roundup Kaspersky has detailed its takedown of a massive so-called watering-hole attack appearing to target certain folks in China, in the top story in The Reg's infosec roundup that looks at issues of the past week beyond our own detailed coverage.

The security firm said the operation, designed to target "more than 10 websites related to religion, voluntary programs, charity and several other areas," used sites set up to deliver backdoors primarily crafted from open source tools and GitHub repos.

"We were not able to witness any live attacks and thus could not determine the operational target. However, this campaign once again demonstrates why online privacy needs to be actively protected," said Kaspersky researcher Ivan Kwiatkowski.

"Privacy risks are especially high when we consider various social groups and minorities because there are always actors that are interested in finding out more about such groups."

Google backtracks on Cookie-cutter plan

Google has delayed its crackdown on third-party cookies. The proposed changes to Chrome 80 have been dialed back in order to prevent any critical websites from going down at an important time.

"While most of the web ecosystem was prepared for this change, we want to ensure stability for websites providing essential services including banking, online groceries, government services and healthcare that facilitate our daily life during this time," Google said.

Tencent outlines Lexus flaws

Bad news for Lexus owners: Tencent's Keen Security Lab has disclosed a number of bugs that could be used by malware or a hacker to move from a compromised entertainment system into the car's main driving network. "Keen Security Lab has discovered several security findings in Bluetooth and vehicular diagnosis functions on the car, which would compromise AVN [Audio, Visual and Navigation] unit, internal CAN network and related ECUs," the researchers said.

"By chaining the findings, Keen Security Lab are able to wirelessly take control of AVN unit without any user interaction, then inject malicious CAN messages from AVN unit into CAN network to cause a vulnerable car to perform some unexpected, physical actions."

To be fair, automobile attacks aren't exactly practical when it comes to real-world settings, and there was only one model tested (the 2017 NX 300). Still, Lexus owners will be eager to see Toyota issue a fix for the bugs.

Microsoft talks up COVID-19 efforts with hospitals

Microsoft is looking to lend a hand to medical providers hit by the coronavirus pandemic. Redmond says it will be stepping up its efforts to help facilities avoid ransomware attacks during this critical period.

Hackers take advantage of old passwords for attacks on retailers

The team at Vigilante.io has detailed a new, targeted attack on large retailers that uses databases of common passwords to try and guess credentials.

While it's understandable for inexperienced users to select easily guessed or re-used passwords, there is no reason for an admin, particularly at a large retailer, to have a weak login.

SystemD found to have code execution bug

A flaw in SystemD could potentially be exploited by a local attacker or malware to elevate their privileges to fully hijack a machine.

The bug, CVE-2020-1712, a heap use-after-free, was discovered and reported by Google's Tavis Ormandy, and fixed in upstream version v245-rc1. Depending on your Linux distro, you may or may not have a vulnerable version installed; check for updates. Red Hat Enterprise Linux 7 is unaffected, for example.

CIRA launches Canadian Coronavirus program

Canada's .ca registry overseer CIRA is launching its own effort to protect critical infrastructure from attacks during the pandemic.

"Unfortunately, hackers are taking advantage of some of our most vulnerable institutions in this challenging time and CIRA would like to lend its expertise and infrastructure to help protect them," the agency said.

FBI says COVID-19 attacks will only get worse

The FBI's IC3 reports that Coronavirus-related scams are on the rise and, unfortunately, only appear set to grow in numbers over the coming weeks.

"As of March 30 2020, the FBI's Internet Crime Complaint Center (IC3) has received and reviewed more than 1,200 complaints related to COVID-19 scams. In recent weeks, cyber actors have engaged in phishing campaigns against first responders, launched DDoS attacks against government agencies, deployed ransomware at medical facilities, and created fake COVID-19 websites that quietly download malware to victim devices," the FBI warned.

"Based on recent trends, the FBI assesses these same groups will target businesses and individuals working from home via telework software vulnerabilities, education technology platforms, and new Business Email Compromise schemes." ®